1From ab51d587bb9b229b1fade1afd02e1574c1ba5c76 Mon Sep 17 00:00:00 2001 2From: Lukas Czerner <lczerner@redhat.com> 3Date: Thu, 21 Apr 2022 19:31:48 +0200 4Subject: [PATCH] libext2fs: add sanity check to extent manipulation 5 6It is possible to have a corrupted extent tree in such a way that a leaf 7node contains zero extents in it. Currently if that happens and we try 8to traverse the tree we can end up accessing wrong data, or possibly 9even uninitialized memory. Make sure we don't do that. 10 11Additionally make sure that we have a sane number of bytes passed to 12memmove() in ext2fs_extent_delete(). 13 14Note that e2fsck is currently unable to spot and fix such corruption in 15pass1. 16 17Signed-off-by: Lukas Czerner <lczerner@redhat.com> 18Reported-by: Nils Bars <nils_bars@t-online.de> 19Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=2068113 20Addresses: CVE-2022-1304 21Addresses-Debian-Bug: #1010263 22Signed-off-by: Theodore Ts'o <tytso@mit.edu> 23--- 24 lib/ext2fs/extent.c | 8 ++++++++ 25 1 file changed, 8 insertions(+) 26 27diff --git a/lib/ext2fs/extent.c b/lib/ext2fs/extent.c 28index b324c7b..1a206a1 100644 29--- a/lib/ext2fs/extent.c 30+++ b/lib/ext2fs/extent.c 31@@ -495,6 +495,10 @@ retry: 32 ext2fs_le16_to_cpu(eh->eh_entries); 33 newpath->max_entries = ext2fs_le16_to_cpu(eh->eh_max); 34 35+ /* Make sure there is at least one extent present */ 36+ if (newpath->left <= 0) 37+ return EXT2_ET_EXTENT_NO_DOWN; 38+ 39 if (path->left > 0) { 40 ix++; 41 newpath->end_blk = ext2fs_le32_to_cpu(ix->ei_block); 42@@ -1630,6 +1634,10 @@ errcode_t ext2fs_extent_delete(ext2_extent_handle_t handle, int flags) 43 44 cp = path->curr; 45 46+ /* Sanity check before memmove() */ 47+ if (path->left < 0) 48+ return EXT2_ET_EXTENT_LEAF_BAD; 49+ 50 if (path->left) { 51 memmove(cp, cp + sizeof(struct ext3_extent_idx), 52 path->left * sizeof(struct ext3_extent_idx)); 53-- 541.8.3.1 55 56